Technical Information
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\] 'Client Server Runtime Subsystem' = '"%PROGRAMDATA%\Windows\csrss.exe"'
- '%TEMP%\rad68ee2.tmp'
- rad68ee2.tmp
- %TEMP%\rad68ee2.tmp
- %PROGRAMDATA%\windows\csrss.exe
- %TEMP%\6893a5~1\state.tmp
- from %TEMP%\6893a5~1\state.tmp to %TEMP%\6893a5~1\state
- 'localhost':49175
- '20#.#3.223.34':80
- '15#.35.32.5':443
- http://se##er.com/.well-known/pki-validation/payments/docs/payments/payments/2c.jpg
- DNS ASK vi#####oupposter.com
- DNS ASK se##er.com
- '<SYSTEM32>\cmd.exe' /c %TEMP%\rad68EE2.tmp' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c %TEMP%\rad68EE2.tmp